Cyber Law Related Risk Management
Just as Bazee.com episode struck a warning note to Web
publishers on the risks of Non observance of "Due Diligence" as per ITA-2000,
the Citibank-Mphasis fraud in Pune has struck a note of warning amongst IT and
BPO Companies.
For records, it may be stated that "Frauds" are an inevitable
part of any financial services business and bigger the institution, more is the
probability of the fraud. This is not also the first time when employees
conspire to commit a fraud and the employer has to bear the risk of loss either
as a matter of business prudence or as a legal liability or simply as a PR
exigency.
Citbank and Mphasis would therefore consider this incident as
an inevitable business risk and will continue their respective business
absorbing the financial and reputational loss they might have suffered in the
process.
However, it is necessary to observe that the incident has
become yet another stick to beat the Indian BPO industry and critics are already
at work abroad predicting that this is the beginning of the fall of the Indian
BPO industry. A recent article in an international website of reputation and the
intense debate occurring on various internet forums have unfairly been critical
of the Indian laws, Indian judiciary, Indian Police, Nasscom and also the Indian
BPO industry. The summary of these discussions appear to be an attempt toe
create an impression that India is not a reliable BPO partner.
It is suggested that this threat to the Indian BPO industry
should not be taken lightly and suitable efforts are made by various
organizations including Nasscom to put the problem in the right perspective. ..
"Frauds are inevitable in business. Fraud
risk is a business risk which cannot be wished away and needs to be
managed."
At the same time it is also necessary to recognize that
Indian IT and BPO industry has to initiate some steps to reassure its
international clientele that we are capable of learning from our past mistakes
and making the system more robust than it was earlier.
In this context it is necessary for our industry to recognize
that if an organization has 10,000 employees, they represent 10,000 "Potential
Risk Points". This is not to say that every employee is to be suspected for his
loyalty. But if statistics indicate that more than 60 % of Cyber Crimes
are employee related crimes and many of them affect the organization seriously,
then no management can afford to ignore this risk.
The HR managers therefore have a challenge on their hands to
fight the possible involvement in cyber crimes of a few of the tens of thousands of employees
they recruit with a need to keep all of them motivated for
better performance. Security professionals will often take an extreme view of
things which needs to be balanced with the need for keeping up the employee
morale.
It is therefore necessary to develop a sensible "Techno Legal
Cyber Security Plan" for an organization which provides adequate protection to
the organization from the liabilities arising from the misconduct of their
employees (and ex-employees) without adversely affecting the morale of the
staff.
The CyLawCom programme suggested by the undersigned and
implemented through Cyber Law College and Cyber Society of India is a step in
this direction and aims at developing achievable standards of Techno Legal Cyber
Security practices that mitigate the risks associated with non compliance of
Cyber Laws.
Hopefully the IT and BPO industry will understand the urgent
need for reviewing their systems, practices and manpower resources to take such
CyLawCom measures as may be necessary for their organizations. (For more details
on CyLawCom audit and certification, refer
www.cylawcom.org)
Naavi
April,13, 2005
Related Articles:
The
Strength of Indian Cyber Laws
Changing
Profile of Cyber Crimes
Critical Review of the
Incident in technewsworld.com
